Protecting GC networks and information with the Top 10 (ITSE.10.089)

The Internet is crucial to Government of Canada (GC) business, but using such technology can also make the GC’s networks vulnerable. Since many GC systems are connected to the Internet, if one department is compromised, all GC departments could be put at risk. Cyber intrusions are costly to a department’s operations, reputation and service delivery. Consequently, departments need sound IT Security programs that minimize vulnerabilities and counter threats. Be proactive and help your department mitigate common and current exploits. Consider implementing CSE’s Top 10 IT Security Actions.

Secure your network with CSE’s Top 10 for the GC

The Top 10 are based on CSE’s hands-on knowledge and many years of experience mitigating thousands of cyber incidents impacting GC departments and agencies. The Top 10 is a practical list of actions departments can take to be more secure, and these actions are specifically tailored to address the threats impacting the GC. With a constantly changing threat landscape, the Top 10 are a great start. However, security needs to become a continuously evolving practice in order to effectively protect our assets.

Minimize IT security risks

Implementation is key. Most compromises that have occurred at GC departments were the direct result of not implementing, at a minimum, the Top 10 IT Security Actions. These actions, when implemented, help decrease departments’ threat surface, and in turn, increase cyber adversaries’ costs.

Without a sound IT security program that adapts to the evolving threat landscape, a department could experience a serious cyber security incident, resulting in significant recovery costs. Or, a threat actor could gain access to sensitive and operational information.

Take one step at a time

The Top 10 should be implemented in numerical order to increase your protection efforts against cyber threats. However, the sequence in which they are implemented can be changed to suit your department’s constraints and requirements — the goal is to implement them. The security actions will still work together to decrease your threat surface and increase your security posture.

Figure 1: Top 10 IT security actions

Long description immediately follows
Long description - Figure 1: Top 10 IT security actions
  1. Consolidate, monitor, and defend Internet gateways
  2. Patch operating systems and applications
  3. Enforce the management of administrative privileges
  4. Harden operating systems and applications
  5. Segment and separate information
  6. Provide tailored training
  7. Protect information at the enterprise level
  8. Apply protection at the host level
  9. Isolate web-facing applications
  10. Implement application allow lists
 

Collaborate with other departments

Up to 1 Billion - Number of malicious attempts blocked by CSE every day

Some departments have already successfully implemented many of the Top10 IT Security Actions, so you don’t need to start from scratch. Leverage the experience of colleagues at these departments. Tap into the various communities via SSC, Treasury Board of Canada Secretariat’s (TBS) Chief Information Officer Branch (TBS-CIOB), Heads of IT (HOIT), and the CIO Council (CIOC).

 

Initiate IT security best practices

Initiate IT Security Best Practices - 1700+ Number of GC IT professionals trained annually at CSE.

IT Security is everyone’s responsibility. While the Top 10 focuses mostly on improving the security of the IT infrastructure and network itself, fostering a culture of security awareness at all levels is also vital.

As members of the GC community, we must work together to increase awareness of IT security best practices—starting with executive endorsement. By encouraging and supporting IT security awareness across all levels of your organization, every user will play a role in protecting Canadian information.

 

Be agile

500 Million - Number of personal information records stolen or lost in 2015. (Symantec, 2016)

As the threat landscape evolves, departments must stay vigilant and mature their IT security practices. The Top 10 IT Security Actions address most threats currently seen active on GC systems today. However, these actions are only the first steps to increasing a department’s security posture and should be followed up by utilizing ITSG-33 IT Security Risk Management: A Lifecycle Approach to create a profile based on your threat and risk assessment (TRA). Protect your network. Protect Canada's information.

 

Talk with your IT Security professionals today to ensure CSE's Top 10 IT Security Actions are incorporated into your departmental plan.

Date modified: